Overview

Vendor : Linksys

Product : Linkskys E1000 Router

Vulnerabilit Type : Command njectino

Affected Version : Firmware version ≤ v.2.1.03

Description : There is sprintf stack-based buffer overflow vulnerability in pc_change_act function in Linksys E1000 router firmware version ≤ v.2.1.03, leading to remote code execution. If an attacker gains web management privileges, they can achieve remote code execution througt the parameters PC_enable in the POST request of apply.cgi interface.

Code Analysis

In the function pc_change_act, the parameter “cgi” is the PC_enable parameter in the request. “cgi” value is copied to “v5” through sprint() funcition without checking the length of strings, which causes buffer overflow.

Untitled

Environment Setup

https://www.linksys.com/nl/support-article/?articleNum=148397

Untitled

Set up router environment through FirmAE.

Refer to https://github.com/pr0v3rbs/FirmAE for instructions

Screenshot from 2024-01-29 12-22-45.png

Run gdbserver and of httpd

Screenshot from 2024-01-29 12-25-40.png

In gdb, attach to the remote process